Fake AV, Fake Support

The anti-malware industry sometimes sees more complicated problems than you might imagine, and they can’t all be fixed by tweaking detection algorithms or giving the marketing team a productivity bonus.

If you’re a corporate customer and you’ve ever had issues with mass malware infection or a critical false positive, you will have thought about support issues, of course, and larger sites might have a carefully negotiated, tailored contract in place to cover potential problems. For home users it’s a bit different, and many consumers prefer a free product with no support to a for-fee product that includes support.

Don’t Reach for that Box of Tissues...

Surprisingly enough, the anti-malware industry isn’t particularly unhappy about that (obviously, since several vendors have scanners that are free to non-corporate users). That’s because a decent support service is expensive to maintain. Since the market will only bear a relatively low cost for a single user licence, consumer support doesn’t necessarily generate a good return on that investment.

The whole free versus for-fee issue in the security market is kind of interesting in its own right (especially at a time when, according to a recent OPSWAT report, companies that offer free products represent a majority of the market), and while marketing models are not my speciality, it’s likely that I’ll come back to that another time. What has interested me lately, though, is a manifestation of the “black” economy where the purveyors of fake AV and other bottom feeders are flourishing. There is clearly a profit to be turned in filling the gaps left by free antivirus products.

...And Don’t Touch That Button

An article at Help Net Security by Kaspersky’s Nicholas Brulez recently highlighted one interesting aspect of the fake AV problem: more and more rogue security products are incorporating an “online support” button. That article describes the way that the victim’s engagement with the fake product is escalated from free scanner to free (one day) trial, to uninstaller, complete with a customer satisfaction survey at the end. Well, that sounds to me like an interesting variation on the process of legitimization of a fake product that sees real anti-malware developers harassed by legal threats when they detect such programs as malware. However, it turns out that it isn’t only rogue developers in Eastern Europe mining this particular seam, and you don’t even have to hit one of those buttons to get support.

Bits Under the Weather

I received a phone call from a researcher at another security company, asking me to check on a disquieting story he’d heard about aggressive marketing by the company I work for, or one of its affiliates. One of his colleagues (in the UK, where I live, as it happened) had received a phone call from someone claiming to be a Microsoft support analyst, advising him that his PC had a virus: he knew this because “Microsoft” had received a report from the PC. You might find this story of a PC under pressure sending out an SOS to Microsoft reminiscent of the old helpdesk joke – “I’ve been pressing F1 for over an hour now, and no-one from the helpdesk has contacted me!” – but in this case, it’s not so funny. The scammer told him that his event log showed numerous virus and hacking attacks, and that he would install a better antivirus product. When asked the name of the product he would be installing, he said it was ESET’s.

Well, that’s not a sales technique that any reputable security company wants to be associated with, so I did some digging. It turned out that my colleagues in the UK had received similar reports – in fact, they’d even had a request for support when “our” product failed to work. On that occasion, it turned out to be a “cracked” (illegitimate) copy, rather than some totally unconnected fake AV product. However, this kind of scam has subsequently been reported by other security companies in Europe, including Symantec, and while nearly all the reports I’ve seen suggest the same group of scammers operating under a number of different company names, I obviously can’t guarantee that the modus operandi will be the same every time.

Burn Notice

However, after my initial blog on the subject, independent security researcher Steve Burn directed me to a whole lot more information in his own blogs and elsewhere, and some of those resources are listed here.

Since, by definition, the issue affects people with pirated or fake copies rather than real security software, it isn’t possible to track incidents through the feedback mechanisms built into legitimate products. It only got my attention because:

• One or two people have subsequently tried to get support through suppliers of the real product.

• As a researcher, I’m fortunate enough to be able to exchange information with people like Steve who may be working in quite different areas, technologically speaking, to my own specialties, but have shared or complementary resources and skill-sets.

• A surprisingly high number of these scam calls were received by people working in the security industry or their friends and relatives, who were more alert to the discrepancies in the scam pitch than most everyday users would be.

In fact, that “surprisingly high number” suggests to me that the number of people who have been contacted but don’t have that background knowledge, and therefore don’t hit our radar, is probably much higher than it appears at first.

Anti-Social Engineering

Like so many scams, this one relies on social engineering – in this case, psychological manipulation of the victim by playing on his or her fear of malicious software and hacking – as well as a lack of technical knowledge and caution on the part of the prospective victim.

As Steve points out, “...typically the caller is asked to open up an Event Viewer to see the "evidence" of infection, before being asked to download remote desktop software in order for the technician to rectify the problem. Using the Event Viewer is how most people are persuaded that something is wrong with their machine, but in actual fact it simply reports information, warnings and errors regarding programs and Windows services.”

While current media reports mostly concern incidents in the UK or Europe involving phone calls that trace back to a company in India, Steve is aware of instances of the scam operating in the US going back to 2009 (and originating with the same company. The scam could just as easily be migrated to anywhere else with a malware-fearing population. After all, it doesn’t much matter where the caller is, in an age of cheap Internet telephony. Many of the domains used to date have been taken down, and others will follow, but it’s all too easy for a scammer to get hold of a whole new bunch of domains.

David Harley CITP FBCS CISSP is Research Fellow and Director of Malware Intelligence at ESET LLC , Chief Operations Officer at AVIEN, and on the Board of directors of AMTSO. He is a prolific blogger and author of security-focused conference papers and articles. His books include “Viruses Revealed” (Osborne/McGraw-Hill) and the “AVIEN Malware Defense Guide” (Syngress.) He joined ESET's Research team in January 2008 as Research Author, and was appointed Director of Malware Intelligence in August 2008.